8 May 2017

New Data Protection Regulations - are you prepared?

The new General Data Protection Regulations (GDPR) come into force in May 2018, and will replace the current Data Protection Act.

The biggest impact will be on companies that have 250 or more employees, and may have to appoint a data controller and/or a data processor.

For companies that employ fewer than 250 staff, the GDPR imposes some direct obligations on data processors that you will need to understand and build into your policies, procedures and contracts.

You may find that your customers will want to ensure that your services are compatible with the enhanced requirements of the Regulations. If this is the case, you will need to review if your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services as a result of the changing regulations.

If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.

Establish a framework for accountability

All companies will need to put in place clear policies and practised procedures to ensure that you can quickly react to any data breach and to notify the regulator in time where required.

Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards.

Check that your staff are trained to understand its obligations. Auditable privacy impact assessments will also need to be conducted to review any risky processing activities, and steps should be taken to address specific concerns.

Implement privacy by design

Ensure that privacy is embedded into any new processing or product that is deployed. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Implementing privacy by design can both demonstrate compliance and create competitive advantage.

The legal basis for use of personal data

Consider what data processing you undertake. For example, do you rely on data subject consent or can you show that you have a legitimate interest in processing data that is not overridden by the interests of the data subject? Companies often assume they need to obtain the consent of data subjects to process their data, but consent is just one of a number of ways of legitimising processing activity and may not be the best.

If you do rely on obtaining consent, review whether your documents and forms of consent are adequate and check that consents are freely given, and are specific and informed. You will bear the burden of proof.

Check privacy notices and policies

The GDPR requires that information provided should be in clear and plain language, so your policies should be transparent and easily accessible.

Consider the rights of data subjects

Data subjects can exercise their rights under the GDPR, including the right to data portability and the right to erasure. If you store personal data, consider the legitimate grounds for its retention.

It will be entirely your burden of proof to demonstrate that your legitimate grounds override the interests of the data subjects. Be aware you may also face individuals who have unrealistic expectations of their rights.

International data transfers

For any international data transfers, including intra-group transfers, it will be important to make sure you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.

This is not a new concern, but as failure to comply could attract a fine of up to the greater of €20m and 4% of annual worldwide turnover, the consequences of non-compliance could be severe. You may need to consider adopting binding corporate rules to facilitate intra-group transfers of data.

How the BPIF can help you

The BPIF is offering a two-day GAP Analysis service to member companies to assist compliance with the new General Data Protection Regulations. The analysis will help you to define the roles and responsibilities that apply to GDPR, and will show you how to integrate GDPR with ISO27001:2013.

It will also provide:
•Guidance for pseudonymisation, minimisation and encryption
•Guidelines for mapping the flow of data
•Sample contract clauses
•Retention of records
•Sample policies and procedures
•GDPR policies and procedures
•Training policies
•Procedures for fair processing of data
•Subject access
•Privacy impact assessment

In addition to this, there is also a basic checklist, agenda for Board meetings and basic work instructions.

For more information contact BPIF Specialist Services at [email protected] or call 01924 203335.

GDPR Workshops:

30 October - London

7 November - Bristol

16 November - London

21 November - Midlands

28 November - Northern Ireland

6 December - Newcastle

GDPR and ISO 27001 ISMS (Information Security Management System Standard)

If your company alread carries certification to the latest ISO 27001 standard, the following link will help you compare how GDPR impacts on your ISO 27001 certification.

www.britishprint.com/gdprmapping